Configure policy sets, bindings, and SAML-specific tokens to secure web services and messages.
To secure messages using SAML, you can import the SAML default policy sets and modify them to enable SAML function. Because WebSphere® Application Server with SAML does not support attaching a policy set directly to a Web services client, you must specify the policy sets and bindings used to enable SAML as custom properties in the web services client binding document.
You can also create a SAML bearer token using the SAML library API. A bearer token contains a bearer assertion, which is used to facilitate web browser single sign-on (SSO). Other SAML set up tasks described in this section include configuring policy sets and bindings for a bearer token, or a holder-of-key token, or to communicate with a Security Token Service (STS).
See the following topics for more information about securing messages using SAML.
Secure SAML tokens at the message level by enabling assertion signing.
Configure policy sets and binding documents to enable a web services client to request SAML assertions from an external Security Token Service (STS).
A SAML bearer token is a SAML token that uses the Bearer subject confirmation method. In a bearer subject confirmation method, a sender of SOAP messages is not required to establish correspondence that binds a SAML token with contents of the containing SOAP message. You can configure the client and provider policy set attachments and bindings for the SAML bearer token.
Configure the client and provider policy set attachments and bindings for the SAML holder-of-key token. This configuration scenario uses a symmetric key.
You can configure the client and provider policy set attachments and bindings for the SAML sender-vouches token. A SAML sender-vouches token is a SAML token that uses the sender-vouches subject confirmation method. The sender-vouches confirmation method is used when a server needs to propagate the client identity or behavior of the client.
The SAMLIssuerConfig.properties file usage is deprecated in WebSphere Application Server Version 8. You can use the listSAMLIssuerConfig and updateSAMLIssuerConfig wsadmin command tasks to read and modify the SAMLIssuerConfig.properties cell level and server level configuration files. Starting with WebSphere Application Server Version 8, you should use the administrative console or the setSAMLIssuerConfigInBinding command task to specify a self-issued SAML token's configuration as custom properties in the requester's outbound configuration in the general bindings or in the application-specific bindings. Do not use server level and cell level SAMLIssuerConfig.properties file.
In this information ... | IBM Redbooks, demos, education, and more(Index) |